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Risk Reduction 
» At this point we know 
» We have identified the hazards 
=» The cause / consequences pairs of the hazards 
« The likelihood or frequency of the hazards 
= Now we need to ask ourselves 
» What is our Risk Target / Tolerability Criteria 


= Do we need to reduce the risk to make it As Low As 
Reasonably Practicable “ALARP”? 


« Ifso how much risk reduction is required? 
= Do we need a SIF to fill the gap to meet the Risk Target? 
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Risk Reduction: Design Principles 


Hazard Identified o-rtTtTtTtTtT =" 


Risk Estimated/Calculated Tolerable Risk Established 
I 


Risk Reduction | eSpace eee a 
Requirement 


Safety Function Defined 
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Risk Perception 


= There are different levels of risk: 
" High Consequence Low Frequency 
" E.g. being struck by lightning 14 million to 1 
" Low Consequence High Frequency 
" E.g. office work — paper cuts etc 
" Beware low frequency / high Consequence events 


" Tolerable Risk 
« Lies between negligible and unacceptable 
«» The ALARP Region also requires consideration of reasonable 
practicability, established good practice & cost / Benefit Analysis 
« HSE — “Reducing Risks, Protecting People” (R2P2) and website 
for additional ALARP & CBA Guidance 
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Individual Risk 


Individual risk 1s the risk experienced by a stngle individual in a given time period. It 
reflects the severity of the hazards and the amount of time the individual is 1n proximity 
to them. The number of people present does not significantly affect it. 


Individual risk is defined formally by the I[ChemE (1992) as the frequency at which an 
individual may be expected to sustain a given level of harm from the realisation of 
specified hazards. It is usually taken to be the risk of death, and usually expressed as a 
risk per year. 
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Fatal Accident Rate - FAR 


Individual risks for workers are commonly expressed as a fatal accident rate (FAR), 
which is the number of fatalities per 10° exposed hours. FARs are typically in the range 
1-30, and are more convenient and readily understandable than individual risks per year, 
which are typically in the range 10° - 10°. The number of 10° exposed hours is roughly 
equivalent to the number of hours at work in 1000 working lifetimes. The FAR measure 
was developed to describe onshore occupational risks, which only apply during working 
hours. Hence, in onshore studies, “exposed hours’ is taken to mean ‘hours at work’, and 
the FAR is defined as: 


Fatalitiesatworkx10° 


OnshoreFAR= 
Personhoursatwork 
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Societal Risk 


Societal risk is the risk experienced in a given time period by the whole group of 
personnel exposed. It reflects the severity of the hazard and the number of people in 
proximity to it. It is usually taken to refer to the risk of death, and usually expressed as a 
risk per year. 


Societal risks are defined by the IChemE (1992) as the relationship between the 
frequency and the number of people suffering a given level of harm from the realisation 
of specified hazards. This definition excludes single-figure measures such as annual 
fatality rate (see below) and so the wider definition above is preferred. The term ‘societal 
risk’ is also sometimes taken to refer to members of the public 


Societal risks are generally expressed in the form of FN curves showing the relationship 
between the cumulative frequency (F) and number of fatalities (N) 
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Figure 4: Transport FN-curves for 2001 and FN-criteria 
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ALARP boundaries for individual risks: Typical values. 


Risk magnitude 


Intolerable region 
Typically fatality risk is higher 
than 10 E-4 (Public) 


Risk cannot be justified 
except in extraordinary 
circumstances 


The ALARP or 


Tolerable only if further risk reduction 
tolerability region 


is impracticable or if its cost is grossly 


isproportionate to the improvement gained 
(risk is undertaken 


only if a benefit is desired) 


Tolerable if cost of reduction would 
exceed the improvements gained 


Broadly acceptable region 
Typically fatality risk is lower 
than 10 E-6 


It is necessary to maintain 
assurance that risk remains at 
this level 
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Government Tolerable - Risk Criteria Summary 


Maximum acceptable risk to the public 


UK 1x 10+ 


Hong Kong 1x 10° 


Netherlands 1x 106 


Australia 1x 106 
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As Low As Reasonably Practicable (HSE) 


= The concept of “Reasonably Practicable” is fundamental to the setting of 
Health& Safety goals rather than being prescriptive. 


= In most cases can be achieved by implementing existing “good practice” e.g. 
IEC 61511 for Safety Instrumented Systems 


= For high hazard scenarios a more formal decision making technique is 
required, that could include event trees, fault trees, fire and gas modeling 
possibly complied as a safety case or safety report that includes cost benefit 
analysis, sensitivity analysis and optioneering 


= Reasonably Practicable means (Edwards v NCB [1949]) weighing the risk 
against the sacrifice needed to further reduce it always weighting the decision 
in favour of H&S because the presumption is always that the risk reduction 
measure should be implemented 


ProSalus Limited Slide 4 - 11 


— ProSalus Functional Safety Engineering 


Cost Benefit Analysis (HSE) 


« Benefits can include: reduction in risk to workers & the public; 
cost of avoidance of contamination, environmental damage, site 
evacuation; deployment of emergency services 

« Typical costs of prevention of H&S impact on people are (HSE) 

= Fatality - £1,336, 800 (x2 for cancer) 
= Permanent injury - £207,200 

= Serious injury - £20,500 

= Slight - £300 

« Typical Disproportion factors (HSE) “rules of thumb” 

= 3 for risks to workers 
= 2 for low risks to members of the public 
= 10 for high risk scenarios i.e. multiple fatalities 
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CBA Worked Example (HSE) 


= Consider a chemical plant with a process that if it were to explode could lead to: 
= 20 fatalities 
= 40 permanently injured 
= 100 seriously injured 
= 200 slightly injured 
= The rate of this explosion is 1 in 100,000 per year. 
= The plant has an estimated lifetime of 25 years. 


= How much could the company reasonably spend to eliminate (reduce to zero) the risk from the explosion? 
= If the risk of explosion were to be eliminated the benefits can be assessed to be: 


= Fatalities: 20 x £1,336,800 x1x10-5 =x 25 yrs = £6684 
= Permanent injuries: 40 x £207,200 x1x10-5 =x 25 yrs = £2072 
= Serious injuries: 100 x £20,500 x1x10-5 =x 25 yrs = £512 

= Slight Injuries: 200 x £300 x1x10-5 =x 25 yrs =£5 

= Total benefits = = £9,283 


= The sum of £9,283 is the estimated benefit of eliminating the major accident explosion at the plant on the basis of 
avoidance of casualties. (This does not include discounting or take account of inflation) 


= For a measure to be deemed not reasonably practicable, the cost has to be grossly disproportionate to the benefits. 


= This is taken into account by the disproportion factor (DF). In this case, the DF must reflect that the consequences of the 
explosion are high. Therefore based on HSE guidance a DF of 10 is considered reasonable 


= Therefore it would be reasonably practicable to spend up to somewhere in the region of £93,000 (£9300 x 10) to 
eliminate the risk of an explosion on the plant. 


ProSalus Limited Slide 4 - 13 


2 ProSalus Functional Safety Engineering 
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Risk Management can be applied in three ways 
° Reduce the consequences to an acceptable level, or 
. Reduce the frequency to an acceptable level, or 
° Reduce the overall risk to an acceptable level 


Risk Analysis Techniques 


7 Risk Analysis is the systematic use of available information to identify hazards 
and to estimate the risk to individuals, groups (societal), assets or the 
environment 


7 Risk Estimation is the process used to produce a measure of the level of risk 
for the hazard being analysed and consists of: 
7 Frequency Analysis 
7 Consequence Analysis 
. Risk Evaluation is the judgement as to whether the risk is tolerable taking into 
account a countries risk criteria and other factors such as environmental and 


socio-economic aspects enh ; 
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Typical Risk Analysis Techniques used in the Process Industry 
= Event Tree Analysis 
« Failure Mode and Effect Analysis & Criticality Analysis 
» Fault Tree Analysis 
« Hazard and Operability Studies (HAZOP) 
» Human Reliability Analysis 
» Preliminary Hazard Analysis (HAZID) 
* Reliability Block Diagrams 
= Consequence Models 


= Sneak Analysis 
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Frequency Analysis 


"Used to estimate the likelihood of each identified hazardous event 
«Three approaches are commonly used to estimate frequencies: 


1. Use relevant historical failure data e.g. OREDA, AlChem, 
Faradip 


2. Frequency of event derived from analytical techniques e.g. 
ETA, FTA 


3. Use of expert judgement 
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Frequency Analysis (DNV) 


Common Cause Analysis 
Human Reliability Analysis 
External Event Analysis 


Historical Incident 
Records 


Population 
Data 


Fault Tree Analysis 
Event Tree Analysis 


Likelihood 
(frequency or probability) 
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Failure Case Frequency Calculation Method 
Based on Historical data Method 


Slide courtesy of DNV 
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Consequence Analysis 


«Used to estimate the likely impact on individuals, populations (societal), property 
or the environment should the undesired event identified during hazard 
identification occur 
«Usually an estimate of the number of people (receptors), located in different 
environments at different distances from the source of the event 

that might be either killed, injured or seriously affected by the event 
"Events usually comprise of 

= Release of toxic materials 

« Fires 

« Explosions 

« Projectiles 
«Further information - Guidelines for Chemical Process QRA CCPS publication 
ISBN 0 8169 0720 X 
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Consequence Analysis 


Discharge Models 


Dispersion Models 


Flammable and Toxic Effect Models 


Slide courtesy of DNV 
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Example of presenting Risk Contours 


604 000 


603 000 


602 000 


Bergheiln - 


Lidarheim 


600 000 


590 000 
13000 14000 15000 16000 17000 18000 


Slide courtesy of DNV 
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Example of a presenting Fire Model 
SKW/ nF 
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= Bow Tie Diagram 

=» Simple Graphical means to illustrate the relationship between 
« Major risk / hazard / undesirable event 
» Its causes / threats 
« — Its consequences 
«The associated prevention and mitigation controls 

= _ Helps demonstrate how major risks are controlled 

= Supports the Safety case 

= Can be Qualitative or Semi Quantitative 
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IEC 61511 
Safety Allocation 
and 


Risk Reduction Analysis Techniques 
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Introduction to Risk Reduction 


= Risk Reduction can be achieved through any of the 
techniques which impact on the reduction of risk 
= Risk can be spread across several techniques usually 
termed safety allocation: 
= Process design — focus’s on inherent safety; 
" Technical Safety — focus’s on passive protection measures 
= Functional Safety — focus’s on active protection measures 
=» Procedures & Process Safety Management 
" All of these activities can form a part of the ALARP 
argument 
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Impact of Risk Reduction Techniques 


= Process design — reduction in severity of consequences and 
frequency of occurrence factors 


" Mechanical design — reduction in severity of consequences and 
frequency of occurrence factors 


» Layout design - reduction in severity of consequences and 
frequency of occurrence factors 


= Control System design - frequency of occurrence factors 
» Alarms - frequency of occurrence factors 

» SIS design - frequency of occurrence factors 

" F&G design - reduction in severity of consequences 
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= Risk Reduction Analysis techniques can be: 
* Qualitative: everything expressed in words 
* Quantitative: everything expressed in numbers 


¢ Semi- quantitative: a mixture of words and 
numbers 
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» IEC 61511 Risk Reduction Analysis techniques 
» Simplified Risk Models 
= Fault tree analysis (FTA) 
= Event tree analysis (ETA) 
= Layer of protection analysis (LOPA) 
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Risk 
Residual Tolerable Hazardous 
Risk Risk Event 


Necessary risk reduction 


Different protection layers 


[ss] [Retr] [une] [—oeuse 


Actual Risk Reduction 
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Safety Throug b.Layers of Protection 


Plant and 
Emergency 
Response 


Mitigate 


Dike 


Relief valve, 
Rupture disk 


Safety 
Instrumented 
System 


Prevent ip level alarm 


Operator 
Intervention 


Process alarm 


Basic 
Process 
Control 
System 


6 6 6O6S9E 


Process control layer 
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Simplified Risk Reduction Terms and Equations for use in 
Low Demand mode Applications 


Ft = Tolerable Risk Frequency 
Fnp = Unprotected Risk Frequency 
Fp = Protected Risk Frequency 


The Risk Reduction Factor: 
RRF = Fnp / Ft 


Safety Availability: 
SA% = (RRF-1) x 100 /RRF 


Probability of Failure on Demand: 
PFDavg =1/RRF= AR = Ft/Fnp 
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Example of Simple Risk Matrix Table 


Catastrophic Critical Marginal Negligible 


1 death or 


BISaeney > 1 death injuries 


minor injury | prod loss 


1 per year 


1 per 10 years 


1 per 100 years 


1 per 1000 years 


1 per 10000 yrs 


1per 100000 yrs 
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Example of applying the Risk Matrix Technique 


A chlorine electrolyser plant presents a major leak hazard due to 
loss of pressure control. 


The estimated frequency of occurrence is once per 10 years. 


The estimated consequence without any protective measures is 
that the operating team of 3 people will be likely to suffer 
serious injury or they may be killed. 
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Use the information given above and the Risk Matrix table 
below to classify the given risk and its frequency 


Using this table, decide the maximum tolerable risk 
frequency to reduce the risk to class 3 (considered to be 
acceptable) 


Calculate the target risk reduction factor, PFDavg values and 
safety availability required from the proposed Safety 
Instrumented System to achieve the tolerable risk frequency 


State the target safety integrity level required from the SIS 
by reference to the SIL tables 
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Example of Risk Matrix Table 
Catastrophic Critical Marginal Negligible 
Frequency 1 death oF eons | 
> 1 death Injuries minor injury prod loss 
1 per year | | i 


1 per 10 years 


1 per 100 years 


1 per 1000 years 


1 per 10000 yrs 


1per 100000 yrs 
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Example of Risk Matrix Table 


Catastrophic Critical Marginal Negligible 
Frequency 1 death or ete 
> 1 death Injuries minor injury prod loss 
1 per year | | 7 


1 per 10 years 


1 per 100 years 


1 per 1000 years 


1 per 10000 yrs 


1per 100000 yrs 
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Fnp = 0.1/yr 


Consequence 
f hazardou 


event 
External E/E/PE Other 


risk safety- technology 

reduction related safety- 

facilities system related 
systems 


Necessary risk reduction 


q 


Overall RRF = 1000 


Process and the 
Process control system 
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Fnp = 0.1 Ft = 0.0001 
PFDavg = 0.001 
SIL =2 
Risk Reduction Factor: RRF = Fnp/Ft = .1/.0001 = 1000 


The PFDavg required is 1/RRF = 1/1000 = 1x10 ‘i 
Safety availability = (RRF - 1)//RRF = 999/1000 = 0.999 or 99.9%. 


The SIL table shows the required PFDavg is in the range 107” to 10° 
and therefore: 


The required Safety Integrity Level is 2 
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Safety Integrity Levels 


Target failure measures (PFDavg) for a safety function operating in 
a low demand mode of operation 


Safety Availability Risk Reduction 


0.0001 - 0.00001 0.9999 — 0.99999 10000 - 100000 


0.001 — 0.0001 0.999 — 0.9999 1000 - 10000 


0.01 — 0.001 0.99 — 0.999 100 — 1000 


0.1 — 0.01 0.9 — 0.99 10 - 100 
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Example of applying a Simplified Risk Model 
Target RRF Determined as = 1000 


tba Steam Process 
rum a alarms 
See (LAN (PI YPALY 
\LorY Lot Aar) 
Feed water 


supply 


HAZOP Study has identified a hazard of low level in Boiler drum leading to possible tube rupture 
and potential burn injury or possible fatality of 1 person with a frequency of once per year. 
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Example of Risk Matrix Table 
Catastrophic Critical Marginal Negligible 
Frequency 1 death oF eons | 
> 1 death Injuries minor injury prod loss 
1 per year | | i 


1 per 10 years 


1 per 100 years 


1 per 1000 years 


1 per 10000 yrs 


1per 100000 yrs 
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Example of Risk Matrix Table 


Catastrophic Critical Marginal Negligible 
Frequency 1 death or ete 
> 1 death Injuries minor injury prod loss 
1 per year 3x | | 7 


1 per 10 years 


1 per 100 years 


1 per 1000 years 


1 per 10000 yrs 


1per 100000 yrs 
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Stage 1 — Consider an Independent Alarm Function 


Low Low Level Alarm 


Boiler Steam 
Drum 
Feed water 


supply 
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Risk reduction model for Independent Alarm Function. 


RRF = 1/PFD 
Overall risk reduction (RRF) = 10 
EUG . _ | * Wheseeeeetiee sey ee ae chee eae ete - 
PT Final : Consequence: 
Low level I beget Boiler damage 
event 5/yr I & 2 injuries 
l 
it 


LAL-01 
+ 


Operator 


PFD = 0.1 Frequency = 0.1/yr 


PFD = 0.2 


Low level in drum 5 times per year operator misses process LAL once per year, assume 1 demand on IAF per year. 


We must consider operator as well and therefore limit alarm to 0.1 in line with IEC 61511-3 guidance 
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Low drum level protection with pre-trip alarm and SIF 


= SIS Logic Solver Boiler 


Pre-trip pocccceec eee 
abr ET Bb Lesh -@ 
| —_ 


Boiler Steam 
Drum 
(_) Feed water 
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Risk Reduction Model for Boiler Trip 


Overall Risk Reduction (RRF) = 1000 


PFD = 0.2 lyr 


F Residual 
EUC Risk Yee Eat hh a ee ee ee | Risk 
ipo ee Consequence: 
Low level : Boiler damage 
! 
1 event 5/yr bad SIF & 2 injuries 
! 1 
| = 
ae 01 | End 
Operator Event 
| 
I 
I 
! 


fj 
jj 
; ! 
Process alarm fails ; Demand PED = 0.1 PFD = 0.01 Frequency = 0.001/yr 
! 
! 


Target RRF is 1000 therefore combined IAF (RRF = 1/0.1 = 10) x SIF (RRF = 1/0.01 = 100) = 
10 x 100= 1000 
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=" Fault Tree Analysis 
» tis a top down technique 


« It starts with an undesired top event and from there we try 
to find out all different ways the top event can occur 


» It can be used to find any combination of events or 
failures that can cause the TOP event 


« Itis a verification technique 
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«= What is fault tree analysis about? 


= The causes of the TOP event are connected 
through logic gates in a tree format 


« Most common technique for casual analysis in risk 
and reliability studies, specially in the nuclear, 
aerospace and defence industries 


=" Can be performed qualitative as well as quantitative 
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= The FTA Process 


« Define scope of project 


« Define the top event 
= Develop the fault tree using gates 


« Identify Cut Sets (combination of base events that can 
cause the top event to occur) 


» Add Numerical values (Failures & Probabilities) 


= Document results 
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Explosion 


((P,+ P2) xF,) per year 


Vertical or horizontal. 


a ree 


Ignition 


AND gate: P,x P, P,+ P, Flammable Gas 
P,xF,, F,x P, etc aN 


Note: F1 x F2 is not valid F, per year 
unless periods are known. 


Electrical | | Lightning 
Fault Strike 


P, P, 


OR gate: P, + P, 
F, +F, 
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Example of applying Fault Tree Analysis to a Risk Reduction 


Basic tank level control with over pressure 
flammable gas release hazard, HAZOP 
identifies to possible causes release, Level 
control failure or operator error closing outlet 
valve when required open 


ProSalus Limited 
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Disch. valve Pump 
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Functional Safety Engineering 


Fault Tree for Tank Loss of Containment Example 


Level 
control 
fails high 


Flammable 
Explosion 
0.015/yr 


Flammable 
cloud fails 
to disperse 


from pump 


Operator 
in area 


Company has set a Tolerability Criteria of 0.2E08 hours (FAR) for a LOC event 
leading to a possible fatality (assume 24/7 operation & 8760 hours = 1 year) 


ProSalus Limited 


Fatality 
0.003/yr. 


EUC Risk= 0.003/yr. 
FAR approx = 34 
Tolerable 

FAR = 0.2 


Overall SRS requires 
RRF =34 
0.2 
=170 


Slide 4 - 54 


Copyright: ProSalus Ltd 2011 


27 


Functional Safety Engineering 


— ProSalus Functional Safety Engineering 


Adding a Passive Protection Layer ( Mitigation Layer) 


Level 


control 
fails high + 9-2/vr- 
Fatality 
Explosion 0.0003/yr. 


ertor 0.015/yr 


Flammabl 
e cloud 
fails to 
disperse 


EUC Risk= 0.0003/yr. 
FAR approx = 3.4 
Tolerable 

FAR = 0.2 


from pump 


Assume Risk reduced by 10% therefore an RRF naree Overall SRS requires 


= 10 is allocated (RRF = 1/0.1 = 10) RRF = 3.4 
=17 
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Adding an Active (SIF) Protection Layer 


P = 0.06 


RV 
ita 0.2/yr. Opens Flammable Fatality 
picu h lyr. 0.06/yr. cloud Explosio 0.00002/yr. 
eee 0.02/yr. 0.004/yr 
0.8/yr. 
Operator 
error 
P=0.3 
Flammable _ 
cloud fails Sparks FAR = 0.2 
to disperse from pump 
Operator | P=0.02 Tolerable 
in area FAR = 0.2 
Allocated 
RRF = 10 
ProSalus Limited Slide 4 - 56 


Copyright: ProSalus Ltd 2011 


Functional Safety Engineering 


—_ ProSalus Functional Safety Engineering 


= Event Tree Analysis 
"Helps us understand the consequences of events 


«Models an initiating event and the time sequence of 


event propagation to the potential consequences 
=" Can be used qualitatively as well as quantitatively 


"Can be developed independently or in combination with 


fault tree analysis 
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Initiating Start of fire Sprinkler system Fire alarm is not Outcomes Frequency 
event malfunction activated (per year) 


True Uncontrolled 
fire with no 8.0 x 10° 
alarm 
Uncontrolled 7.99 x 10-5 


fire with alarm 


controlled fire 7.92x 10-8 
with no alarm 


Explosion 
controlled fire 7.91 x 10-3 
with alarm 
no fire 2.0 x 10° 
Dust Explosion — adapted from IEC 60300-3-9 
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Safety Requirements Specification 
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Safety Requirements Specification 


Input Information and General Requirements 


List of SIFs 
Functional Functional Functional 


requirements for 


requirements for 


requirements for 


Safety integrity 
requirements for 
SIF-1 


Safety integrity 
requirements for 


SIF-2 


ProSalus Limited 


Safety integrity 
requirements for 


SIF-3 


Slide 4 - 60 


Copyright: ProSalus Ltd 2011 


30 


Functional Safety Engineering 


<< ProSalus Functional Safety Engineering 


Safety Integrity Requirements for a SIF 


The SIL of a SIF has been selected during the SIL determination 
study: 

= Risk Graph, LOPA, Risk matrix 

» SIL1,20r3 


This information must now be communicated to the design team 
to ensure the design meets the SIF safety integrity requirements 
during implementation implementation 


This is communicated by the Safety Requirements Specification 
(SRS) which is the basis of the SIS validation 
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Functional Requirements for a SIF 
¢ Functional requirements are derived from the hazard study and 
typically captured in the: 
« Piping & Instrument Diagrams 
* Cause & Effect Matrix 


* SIS Philosophy document 
* Functional Logic Diagram 


¢ This information is communicated to the design team via the 
SRS to ensure required functionality is implemented 


* This functionality is translated into the Functional design 
Specification (FDS) which is the basis of the SIS design 
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Safety Requirements Specification 


* The SRS must prepared before commencing any design work 
¢ Be based on the guidance in IEC61511-1/2 Clause 10 & 12 
¢ Expressed and structured in such a way that it is: 

= Clear; 

= Precise; 

= Verifiable; 

« Maintainable; 

= Feasible 


« Written to aid comprehension by those who are likely to utilize 
the information at any phase of the lifecycle 
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Framework for the SRS 


The SRS contains the functional and integrity requirements for each SIF and 
should provide sufficient information to design and engineer the SIS and 
include statements on the following for each SIF: 


*Description of the SIF; 

«Common cause failures; 

*Safe state definition for the SIF; 

«Demand rate; 

*Proof test intervals; 

«Response time to bring the process to a safe state; 

*SIL and mode of operation (demand or continuous); 
«Process measurements and their trip points; 

«Process output actions and successful operation criteria; 


¢Functional relationship between inputs and outputs; 
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Framework for the SRS 
« Manual shutdown requirements; 
¢ Energizing or de-energizing to trip; 
« Resetting after a shutdown; 
« Maximum allowed spurious trip rate; 
¢ Failure modes and SIS response to failures; 
¢ Starting up and restarting the SIS; 
« Interfaces between the SIS and any other system; 
« Application software; 
¢ Overrides / inhibits / bypasses and how they will be cleared; 
* Actions following a SIS fault detection 


Non-safety instrumented functions may be carried out by the SIS to ensure 
orderly shutdown or faster start-up. These must be separated from the SIFs. 
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Example SRS Template 


) SYSTEM REQUIREMENTS 


SIF TITLE HP KO Drum Overfill Protection System 


P&ID No: 3203-T-VAB-P-XB-43-0020-01 & 3203-T-VAB-P-XB-50-0010-01 
SCD No: 3203-T-VAB-I-XL-43-0020-01 & 3203-T-VAB-I-XL-50-0010-01 


INSTRUMENT IDENTIFICATION 43LST0141A/B, 43LST0132 and 43LST0133 


1) Stop 50PSO01A 
2) Stop 50PS001B 


ACTIONS / OUTPUTS. 


Valves closed / Pumps stopped and prevented from being opened / restarted 
SUCCESS CRITERIA until the trip condition has been cleared and SIF is reset. 


43LSTO141A/B: 1002 level Instruments detect 84.8% level in 43VD001, THEN 
stop 2002 Seawater pumps. AND prevents either Seawater pump from being 
started UNTIL the trip condition has been cleared and the SIF has been reset. 

) | FUNCTIONAL RELATIONSHIP 
If a diagnostic fault alarm is present on 2002 level Instruments, THEN stops 2002 
Seawater pumps. AND prevents either Seawater pump from being started UNTIL 
the fault condition has been cleared and the SIF has been reset. 


) COMMON CAUSE FAILURES 


| | POWERLOSS Upon power loss seawater pumps. If the logic solver is powered off, all the | 4 
outputs are powered off breaking the power circuit to the pumps stopping them. 


2 | COMPRESSED AIR LOSS Not Applicable. 04 
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Example SRS Template 


) PROCESS DETAILS 


There are no continuous sources to the HP KO Drum during normal operation, 
the drum has sufficient capacity for accumulation of liquid slugs up to 100m? in 
the subsea depressurisation mode between NLL and LAHH (PSD - 42.1%) all 
ESD valves are open and the seawater pumps are running. 


+ | NORMAL PLANT OPERATION 


5 | ABNORMAL PLANT OPERATION Level is exceeded due to increase flow in condensation, from the oil system, 
separation system, relief from Heat exchangers or depressurisation of equipment 


An alarm is required to indicate that the SIF has been demanded i.e. If or 
43LST0141A/B LAHH (ESD - 84.7%) has been exceeded. 


: An alarm is required to indicate that any subsystem within the SIF has a 
3. || SISINTERFACES diagnostic fault ie. 43LST0141A/B has diagnosed an internal failure 


An inter trip from the OPS to ESD2 is required for a 43LST0141A/B LAHH (ESD 
— 84.7%) exceeded 


? | SAFE STATE DEFINITION 50PS001A/B seawater pumps stopped and no cooling required. 


CONCURRENT SAFE STATES 
CREATING A SEPARATE HAZARD 


) | PROCESS SAFETY TIME Within 45 seconds for seawater pumps stop from LAHH — ESD detected (84.7%) 


None identified 


) NORMAL OPERATIONAL, Drum operates at 20% full with one seawater pump operational and cooling 
PROCEDURES required 


| | ABNORMAL OPERATIONAL 


y ‘ : : , 
PROCEDURES Drum operates at 65% full with one pump running and no cooling required 
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Example SRS Template 


0 SIL DATA 


3 TARGET SIL TARGET ACTUAL 


+ TARGET SAFETY INTEGRITY 1.65E-03 
3 MODE OF OPERATION Demand Mode 
Level is exceeded due to increase flow in condensation, from the oil system, 


separation system, relief from Heat exchangers or depressurisation of equipment 
or the due to: 


1) Maximum normal production 
Choke Failure 
Process depressurisation 
Blocked outlet of Alvheim Inlet Separator 
Pressure Safety Valve or Rupture Disc 


SOURCES OF DEMAND 


Blowdown of production flow lines 

Spill off Control Valves 

Manual Flare Valves 

Leakage through valves and relief valves 


Ld DEMAND RATE ON SIF (IF KNOWN) 


i 
ey SIS RESPONSE TIME TARGET Within 5 seconds ACTUAL 2 seconds 

| = 
| a 
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Example SRS Template 


2 TRIP ACTIONS 


The operator will be able to monitor the SIF status and control the functions of 
the SIF by the use of a password via the HMI. Each input (including internal 
diagnostic fault alarm status) shall be provided with an alarm on the HMI that 

4 | POBERATORINTEREAGES shall alert the operator when the input is in the tripped state irrespective of the 
override condition. An audible alarm will also be sounded. Operators can silence 
the sounder, and acknowledge the trip at the HMI. The trip is reset via the HMI 
and requires a password to initiate the reset once the trip condition has been 
cleared. This will allow the Seawater pumps to be restarted 


The trip system logic solver is implemented via a PLC, and while the PLC is 
powered, and the appropriate /O is connected and powered, the system will 

| SYSTEM START/ RESTART monitor the HP KO Drum status. Upon power up, the SIF will be in the tripped 
state, and will need to be reset via the HMI, provided that neither a trip nor 
diagnostic fault condition is present. This will allow the pumps to be restarted 


MANUAL SHUTDOWN The existing ESD pushbutton system will remain unchanged and not be a direct 
REQUIREMENTS input to the OPS 


LAHH from SIS is to de-energise interposing relay. The relay configuration is 
3 | ENERGISE/ DE-ENERGISE TO TRIP | such that this energises a contactor which applies power to a switching 
mechanism to drive open the contacts to remove power from the pumps. 


A trip is reset via the HMI and requires a password to initiate the reset, provided 
’ | RESETTING AFTER A SHUTDOWN that the trip condition is no longer present. This will allow the pumps to be 
restarted. 


A maintenance override is required for all input and outputs to facilitate on line 
maintenance and function testing of subsystems after maintenance and repair. 
The override will be via the HMI and will require a password to initiate the 
override. An alarm will be raised on the HMI to indicate that the override is 

3 | OVERRIDES / INHIBITS/ BYPASSES | present and the override time and name of the initiator will be logged by the 
event recorder. All maintenance overrides shall be password protected and in 
addition, any override that is left in over ride position for more than 8 hours will 
initiate a critical alarm 


) | DANGEROUS COMBINATIONS OF Both Sea water pumps stopped when heat exchangers still in use 
OUTPUT STATES 
SPECIFY ACTIONS TO ACHIEVE / If there is a 2002 SIF diagnostic fault on the sensor sub systems or a 2002 

) | MAINTAIN SAFE STATE ON SIS diagnostic fault on the logic solver sub system, the plant will shutdown. If the fault | 44 
FAULT INCLUDING HUMAN cccurs during a high high level condition then the general ESD push button 
FACTORS should be initiated, in line with the current plant functionality. 
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Example SRS Template 


0 FAILURE MODES 


43LST0141A/B are nucleonic detectors providing an analogue input to the PLC, 
the detector will be designed to fail safe ie. A zero signal to the PLC, will result in 
a fault alarm. 


If all sensors (2002) are in a failed state the PLC will stop the seawater pumps. 


The PLC will be configured such that the safe state of the plant will be 
maintained if it is powered down or removed. I.e. No supply to the Seawater 
pumps, thus the pumps will stop. 


3 | SENSOR FAILURES, 


4 | LOGIC SOLVER FAILURES 
If there is a failure of the PLC, an alarm will be raised on the HMI. If there is a 


2002 diagnostic fault on the PLC the system will shutdown with all outputs set to 
zero. 


The pumps will be designed to fail stopped, and will only start if there is no trip 
condition. If the pump fails to stop on command or allows seawater to pass these 

FINAL ELEMENT FAILURES. are dangerous failures which will be taken into account in the SIL verification 
calculations. Pump discrepancy alarms will be raised on the HMI if the pump is 
running when commanded to stop or stopped when commanded to start. 


uw 


3 | DESIRED RESPONSE OF SIF TO T)iStop SORS0O TA. 
FAILURE MODES 2) Stop SoPS001B 
0 APPLICATION SOFTWARE 
3 | SOFTWARE TYPE Vendor SIL 3 TUV Certified module library 


SOFTWARE REQUIREMENTS TO 
CLAUSE 12.2.2 OF IEC 61511 


0 ENVIRONMENTAL EXTREMES 
1 | TEMPERATURE +/- 20 degrees Celsius 
2 | HUMIDITY Up to 85% 


0 MAINTENANCE ISSUES 


2 3203-T-VAB-I-SR-43-0022-01 


Routine testing and maintenance will be implemented when the plant is shut 
down. Breakdown maintenance can be done by utilising the maintenance 
override for the channel under repair and by replacement of faulty components. 


CONSIDERATIONS, 


o 


1.0 NOTES 
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Fault Tree Analysis Exercise 
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Practical exercise no: 1 Fault Tree Analysis 


This practical exercise requires attendees to construct a fault 
tree diagram using the basic principles introduced in this 
module. It uses an example of a simple reactor with 
automatically controlled feeds that has the potential to cause 
a serious risk to plant personnel. 


Once the basic fault tree has been drawn, the model is to be 


adjusted to incorporate a safety-instrumented system and to 
demonstrate the resulting risk reduction. 
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The process is a reactor with a continuous feed of fuel and oxidant. 
Two flow control loops are operated under a ratio controller set by 
the operator to provide matching flows of fuel and oxidant to the 
reactor. An explosive mixture can occur within the reactor if the fuel 
flow becomes too high relative to the oxidant flow. 

Possible causes are: Failures of the BPCS or an Operator error in 
manipulating the controls leading to sudden loss of oxidant feed. 

A SIS is proposed with a separate set of flow meters connected to 
a flow ratio measuring function that is designed to trip the process 
to safe condition if the fuel flow exceeds the oxidant flow by a 
significant amount 

The tag number for this Safety Instrumented function is FFSH- 03 
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Fault tree for basic hazard 
Explosion 
Ignition Ex. mix 
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SAFETY CONSULTANTS 


. Explosion 
Fault tree for risk 


Functional Safety Engineering 


reduction using SIS ea 
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